ZTE confirms security hole in U.S. phone

By Gene Ryan Briones on 05/18/2012

Chinese telecommunications equipment and systems company ZTE said that one of its mobile phone models sold in the U.S. has a vulnerability that, according to researchers, could allow others to control the device. Reuters said that the hole affects the Android-powered ZTE Score and that a researcher described the hole as “highly unusual”. Dmitri Alperovitch of cyber security firm CrowdStrike noted that the hole allows anyone with the hardwired password to access the affected phone. “I’ve never seen it before,” Dmitri added. Word about the hole allegedly surfaced this week from an anonymous posting on the code-sharing website pastebin.com.

ZTE confirmed the vulnerability on its Score phone but denied that it affected other models as well. ZTE assures that the company is working on a security patch and that it will be sending the update over-the-air to affected users soon. CrowdStrike’s Dmitri Alperovitch said that the backdoor was deliberate because it was being used as a way for ZTE to update the software of the phone. But the researcher questions whether the hole is malicious or just a product of poor programming. Dmitri reportedly said that it could very well be that ZTE doesn’t have very good developers, or that they could be doing it for “nefarious” purposes. That of course is his observation. Google, on the other hand, declined to make any comments about the issue.